xEM no longer readable after first commands


#1

I purchased two xEM tags in hopes of encoding them with different data using the Proxmark tool. My goal is to use the tags externally (no plans to inject them into the body).

After removing the first tag from the syringe, it showed up as an EM4X tag when doing ‘lf search’ on the Proxmark. ‘lf hid clone …’ would not change the data on the tag. After wiping the tag, ‘lf search’ does not find anything, and I cannot talk to it anymore (even with ‘lf t55xx detect’).

I then tried programming the second tag while still inside of the syringe and sealed polymer bag. ‘lf t55xx detect’ returned results, and I could clone it with ‘lf hid clone …’. Successful cloning was verified by doing an ‘lf search’, and it returned positive results.

However, upon removing the tag from the syringe and placing it close to the antenna (the same angle/direction as when it was still in the bag/syringe), it no longer reads:

proxmark3> lf search
Reading 30000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!

So now both tags are not returning results. Any help would be appreciated.


#2

My experience was that I could not read the xEM with a proxmark easy after a successful clone, but it did in fact work.

Have you tested it against the intended target reader?


#3

Yeah, I’ve tried it against a few different reader types (HID multiCLASS, AptiQ MT15), and they do not beep or read the chip at all.


#4

When it comes to writing data to the T5577 chip inside the xEM, it doesn’t matter what the device you use is… it’s still possible to tear the configuration bytes. Read this post;

https://forum.dangerousthings.com/t/quirks-of-the-t5577-cloning-tags-to-the-xem/

Now that you’re all caught up on tearing issues, I can say these things;

  1. the response you’re getting trying to read the xEM is the exact response you will get if one of the following is going on: A) you are reading a perfectly configured xEM chip but the coupling is bad due to placement, antenna geometry mis-match, etc. or B) your coupling is good but the configuration bytes on the T5577 have been configured due to invalid data being written, or a tear event occurring.

  2. recovery is possible https://forum.dangerousthings.com/t/xem-cloning-emulation-modes-and-the-perils-of-chinese-cloners

  3. we need a proxmark3 manufactured with antennas designed to work with x-series chips.

Thanks,
Amal


#5

The weird thing is that with the second chip, I was able to read it perfectly fine while it was still in the syringe. As soon as I pushed the plunger and it slid out, it no longer would read. Nothing else changed.

Also is there a reason why the first chip was already reading as a pre-programmed EM4X tag, while the second one read as a blank T5577?


#6

That is really odd… how is your antenna tuned? Which antenna are you using?

Both would have been programmed as an EM4X… that’s how we test before putting into the syringe… we program them and read the ID back. That way we know it’s good.

Chances are that the coupling you have is unstable and you are getting inconsistent reads. In short, that’s always the problem, at least initially. Other problems arise because of that, including torn config bytes in the T5577 which then makes the chip basically unresponsive.


#7

So, here’s the latest update to the situation:

The first EM4X remains un-responsive, and no matter what commands I try (lf t55xx wipe, etc), I can’t get it to respond. I’m guessing the analog configuration is torn. :frowning:

The second one magically started working, and I also found the optimal position for the antenna I was using. I’m using the Elechouse Proxmark3 V2, and the EM4X needs to be perpendicular to the antenna. As soon as I positioned it this way, it started reading the HID details that I had previously programmed.


#8

Try this:

If the xEM was in EM mode prior to becoming unresponsive:

lf t55xx write b 0 d 00148041p AA55BBBB t

If it was in HID mode:

lf t55xx write b 0 d 00107071 p AA55BBBB t

For reference:

Block 0 Analogue Configurations

EM4100 NO PWD______00148041
EM4100 WITH PWD____00148051
HID NO PWD__________00107060
HID PWD_____________00107071
BLANK t55____________00088040

The above command although your issuing a password. It’s also got the “t” flag. t55xx test mode is basically undocumented but can be used to do some… odd… things. Including fixing the issue you have.